Software applications may contain flawed logic, or faults. A carefully crafted malicious input and/or program may exploit the faults in a software application in a manner that causes the application to deviate from its intended behavior. Such deviation may have potentially dangerous consequences for the application's user and/or the system on which the application is running such faults are often referred to as “software vulnerabilities” or simply “vulnerabilities”. Memory-corruption vulnerabilities are important class of software vulnerabilities that lead to corruption of an application's in-memory data. A taxonomy of software vulnerabilities known as the Common Weakness Enumeration (CWE Version 2.8, “CWE—Common Weakness Enumeration,” MITRE 2014-7-31) provides a categorization of some possible vulnerabilities.
Although numerous techniques are available for detecting and handling software vulnerabilities, many conventional techniques do not provide an efficient and robust system capable of detecting and handling the wide range of possible software vulnerabilities. Embodiments of the present invention provide a robust and efficient technique for automatically protecting, or hardening, software against exploitation of memory-corruption vulnerabilities.
An example embodiment provides computing system comprising at least one memory and at least one processor configured to execute a security-enhanced application program. The program includes arranging a plurality of guard regions in the memory in relation to data objects formed by the application program, identifying an access by the application program to a guard region arranged in the memory as a disallowed access, and modifying the execution of the application program in response to the identifying. The modifying may be in order to prevent exploitation of the memory and/or to correctly execute the application program.
The identifying an access in example embodiments may include at least one of (A) tracking memory object creation and deletion, and (B) detecting whether a memory access by the application program is a disallowed access to a guard region.
The program may further include placing bipartite guards in the guard regions arranged in memory, the bipartite guards each having a predetermined number of bits. The detecting whether a memory access is a disallowed access comprises may include determining an address associated with the memory access, and determining whether at least one of the bipartite guards placed in the guard regions is located at the determined address.
Placing bipartite guards may in example embodiments include placing a predetermined small guard value in one of the bipartite guards at one or more predetermined offsets. Determining whether at least one of the bipartite guards are located at the determined address may include checking whether the predetermined small guard value is positioned at the determined address.
Placing the bipartite guards may in example embodiments further include arranging uniformly randomly selected bytes in parts of the bipartite guards where no predetermined small guard value is placed. Determining whether at least one of the bipartite guards are located at the address may include, if the predetermined small guard value is positioned at the address, determining if a multi-byte aligned word containing the determined address holds a full guard value.
The predetermined small guard value may in example embodiments be one byte in size. The bipartite guard may be placed in all guard regions when they are created and is removed before the region is reused.
Determining whether at least one of the bipartite guards are located at the address may in example embodiments further include arranging a computation that may cause a runtime exception if and only if the full guard value is present.
An example embodiment may in example embodiments further include performing an exclusive-or operation of data in a guard map with a guard value in order to populate a substantially larger portion of the guard map with the guard value.
In some example embodiments, the tracking may include at least one of (A) for a portion of the memory that is a stack memory, directly mapping between a region of the stack memory that is being mapped and the map, (B) for a portion of the memory that is a heap memory, using a heap map to infer locations of the guards in the heap, and (C) for a portion of the memory that is a static memory, using standard data structures for representing sets to store a fixed set of said guard regions.
In some example embodiments, the tracking may include detecting a reuse of a block in a heap portion of the memory based upon whether (1) the block is returned from a function that sometimes returns uninitialized memory acquired directly from a memory allocation, and/or (2) the block is returned from a function having fewer than a predetermined number of external arguments.
In some example embodiments, the tracking may include detecting a reuse of a block in a heap portion of the memory based upon whether (1) the block contains data originally read from an external source, and (2) the data is overwritten with different data from an external source.
In some example embodiments, the tracking may include protecting a first set of areas of the memory using said bipartite guards and without guard maps, and protecting a second set of areas of the memory using homogenous guard values and guard maps.
In some example embodiments, the tracking may include, when a data object is freed by the application program, marking a region of the memory used by the data object as a guard region, and wherein the marking includes overwriting the region with guard values.
In some example embodiments, freed memory regions are marked with a dedicated unalloc-mem guard value distinct from other classes of guard values and detecting a use-after-free error comprises checking for the unalloc-mem guard value.
In some example embodiments, the tracking may include, when a data object is freed by the application program, before said overwriting, saving current contents of the region; and if a subsequent use of the region is detected, restoring the region using the saved contents.
In some example embodiments, wherein determining if an access to a memory location computed as (base+offset) is a disallowed access further includes checking if base is in a guard region.
In some example embodiments, wherein determining if an access to a memory location computed as (base+offset) is a disallowed access further comprises checking if base and (base+offset) are in the same heap block.
In some example embodiments, wherein modifying the execution of the application program includes: automatically determining when a memory overrun occurs by detecting an attempted access of the guard region at the end of a block in a heap portion of the memory; automatically marking another block adjacent to the block as allocated; and/or providing for overrunning code to continue into the marked block.
In some embodiments, modifying the execution of the application program may include automatically determining when a memory overrun occurs by detecting an attempted access one of the guard regions at the end of a first block in a heap portion of the memory, allocating a second block in the heap portion, wherein the second block is larger than the first block, copying data from the first block to the second block, converting the first block into a guard region such that subsequent accesses to the first block are detected as attempted accesses to one of said guard regions, and when a subsequent access to the first block is detected, redirecting the access to instead access the second block.
Some embodiments may further include inserting read guards in newly allocated memory and/or memory that holds stale data, checking read accesses to determine whether an inserted read guard is accessed, thereby detecting runtime uses of uninitialized memory and/or potential information leaks, and removing an inserted read guard when a write access to the inserted read guard is detected.
Some embodiments may further include intercepting library calls writing a variable amount of said memory up to a specified maximum, and identifying portions of the memory between the end of said variable amount written and the specified maximum as stale data that the subject program no longer uses.
Some embodiments may further include at least one of (A) detecting an attempted scan of the memory by placing page guards on selected pages, or (B) detecting an attempted scan of the memory by inserting hooks in selected portions of code to check for the page guards.
An example embodiment provides a method for executing a security-enhanced application program on a computing system comprising at least one memory and at least one processor. The method includes: arranging a plurality of guard regions in the memory in relation to data objects formed by the application program, automatically identifying an access by the application program to a guard region arranged in the memory as a disallowed access, and automatically modifying the execution of the application program in response to the identifying. The modifying being in order to prevent exploitation of the memory and/or to correctly execute the application program.
An example embodiment provides a non-transitory computer readable storage medium storing a security-enhanced application program which, when executed by a processor of a computing system including a memory, causes the computing system to perform operations comprising: arranging a plurality of guard regions in the memory in relation to data objects formed by the application program, automatically identifying an access by the application program to a guard region arranged in the memory as a disallowed access, and automatically modifying the execution of the application program in response to the identifying. The modifying may be in order to prevent exploitation of the memory and/or to correctly execute the application program.
These aspects, features, and example embodiments may be used separately and/or applied in various combinations to achieve yet further embodiments of this invention.